Hacker News new | comments | show | ask | jobs | submit login

The problem isn't that it's displaying an important security setting in a way that forces users to notice it. Kudos to Microsoft for finally having the courage to do so. Rather, the problem is that they haven't surfaced a method for expert users to disable the warning.

I think I found that method.

Run `gpedit.msc`. Navigate to:

    Computer Policy > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
Set the following two policies to Disabled:

    Allow Secure Boot for integrity validation

    Use enhanced Boot Configuration Data validation profile
Should disappear the watermark.

I've only got to wonder, how does Microsoft think of these crazy menus. Why would secure boot settings be under Bitlocker drive encryption?

It's all wrapped up in the same technology platform - SecureBoot and BitLocker work together/are the same thing in some cases during the boot process. There are differences, but I don't want to be pedantic.

As a non-microsoft employee I'd never know that drive encryption and secure boot settings would be the same 'technology' or even under 'bitlocker'. As bitlocker to me is the same as os x filefault or truecrypt.

Why wouldn't you just put bitlocker, anti-virus, secure boot, UAC, ...etc under one menu called 'Comp. Security'.

Because then there'd be hundreds of settings in the same folder. This isn't a user-visible menu or a wizard for configuring security settings, this is something for expert users to really modify how their OS is designed.

Your suggestion is akin to putting every RHEL/SLED/Ubuntu security setting into one flat configuration file. IPSec, Sudo (and gksudo and friends), anti-virus, cryptfs, apparmor / selinux, ufw / iptables, package signing requirements (including repositories to use), etc.

Something like that would never happen even if Red Hat did control all of the pieces of the puzzle. Now contrast Linux versus Windows here: if you want to configure those things you have to discover the tools or file formats for each security layer configuration manually, versus going into "gpedit.msc" and having categorized settings for the whole OS.

Still, it's the same rationale as sticking your network adapters configuration under http server configuration. The httpd uses the network, right?

Still makes no sense.

BitLocker is basically its own concept[1], separate from something like Filevault or Truecrypt, and it requires Secure Boot to really do what it does.

BitLocker, although it can be used to encrypt external/data volumes, is primarily a technology for encrypting the boot volume and then storing the encryption key in the TPM chip. That encryption key can itself be encrypted using some combination of a passphrase, a biometric signature, and a smart card, which must be presented at startup.

In the TPM chip, along with the boot-volume encryption key, there is stored a manifest of SHA signatures for important OS files (specifically, the kernel and drivers required to bring up policy-based security like ACLs and domain authentication.) This manifest is signed by that same encryption key. Thus, the bootstrap loader, having retrieved the credentials necessary to make use of the TPM, can then verify the manifest with the key, and then use the manifest to verify that the OS it's going to boot into can be trusted, and will continue to protect the security of the files stored on the drive when control is passed to it.

This whole setup basically means that there's no way to get data off a BitLocker+Secure Boot computer without it allowing it (or, in limited cases, doing tricks with sticking RAM chips in liquid nitrogen.) If you didn't have BitLocker, you could just read the data "at rest"; if you didn't have Secure Boot, you could just install a rootkit and grab the data "in motion."


[1] Really, I think the only reason the two technologies (BitLocker and Secure Boot) ended up with different names is that they were supposed to be two subfeatures of one initiative -- Microsoft Palladium or http://en.wikipedia.org/wiki/Next-Generation_Secure_Computin... -- but that initiative was shelved (likely due to the huge public backlash), leaving just these few practical remnants behind. (It's pretty obvious that the BitLocker Settings panel was originally the Palladium Settings panel; it's where you go to reset TPM keys et al.)

Then it should be readily available from the Control Panel and not through GPO.

MS hides things in GPO or registry settings when it wants to alleviate the concerns of network administrators while still managing to infuriate the end users who have no business touching 'their' operating system.

> It's all wrapped up in the same technology platform

And that's, of course, absolutely intuitive.

Why would "Shutdown" be under devices?

> they haven't surfaced a method for expert users to disable the warning

In the most user-hostile move ever, I wanted to disable the "automatic restart in 15 minutes" thing on Windows 8 (Home). It required adding a registry key(!) I hope there's an easier way that I just somehow missed...

It's been changed in Windows 8 to not have that automatic restart as bad. There's also a Group Policy which lets you disable the forced update. It just tells you there's updates that require you to restart.

I believe the Group Policy requires Pro though. And this was Windows 8: a full-screen banner would pop up saying the computer would restart in 15 minutes, with no option to permanently dismiss it.

Err, I meant 8.1. I forgot what they did, but I think it gives you an extra day now instead of just 15 minutes.

I can't tell you how many times I've had my system automatically reboot while i was in the middle of working, once during a presentation. There is a "hide this notice" button, but not "Please don't shutdown right now" button.

Really, really, horrible experience.

During the beta phase, they had mentioned that updates wouldn't do that, that they would auto apply the next time you rebooted.

I really think that all they should do is display a message that says, "New security updates have been installed. To ensure your computer is secure, please reboot your computer."

Updates do auto-apply the next time you reboot--provided you do reboot, at some point.

The problem Microsoft is balancing against is people who never ever reboot their computers no matter what--and thus never update, and become infection vectors. They have to force these people to update against their will to ensure the digital equivalent of herd immunity. And it's really quite hard to tell whether the user trying to "permanently" dismiss the "REBOOT NOW GOSH DARNIT" popup really has something urgent they're doing, or is just a "power user" who thinks they know better than the computer.

But then people won't do it. You have to force security update installs. There's really no better way around it. I think you have 2 days after the updates install to before it forces you to reboot. That should be enough time right?

Perhaps a better question is why a reboot is needed in so many circumstances. Windows users have been trained to accept reboots as normal over many, many years. We used to need to reboot after every single application install. Very few OS pieces should actually require a full reboot instead of merely restarting a process or two.

Windows cannot delete/replace files, that are open. That's the cause of most reboots, it will replace them before services or apps that use them start again.

Not that I'm apologizing it's behavior - it was a design decision that Windows team made in the past, when it was deemed not important and worth reduction in complexity. Now just it comes and bites them back.

>Windows cannot delete/replace files, that are open.

Not exactly. Its up to the application which opens files to control whether the file can be modified externally. It can do this in two ways. (1) Open the file in some FILE_SHARE_* mode and let the OS sort it out. (2) use opportunistic locks that will detect external access and then let the app decide how to react - anti-virus programs use this when they are scanning files.

>That's the cause of most reboots, it will replace them before services or apps that use them start again.

Actually the cause for reboots is much more mundane. Files replaced on disks means new programs using those files get the new version, however, processes which are already running keep using the older version in memory and are thus open to being exploited by bugs that are already patched.

On servers, things are a bit different. To prevent downtime you can 'hotpatch' the update and thus avoid the reboot.

Linux doesn't solve the problem either, with the ability to replace open files. It just means you run into potential compatibility issues if you modify a shared lib and then two processes try to perform IPC that might rely on false assumptions (I believe this is exceedingly rare in practice) and to update kernel components, long-lived services you still need to restart them.

You can perform hot updates to a system but it can be complex and there are a number of restrictions on the types of updates that can be done.

I set those flags in group policy but the watermark doesn't go away. The only way to get rid of it is to re-enable SecureBoot in the BIOS.

This is really frustrating.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact